From 7419ee02dfeff7a544e5f0f6f4f234e6d154fdc0 Mon Sep 17 00:00:00 2001 From: Bdale Garbee Date: Mon, 19 Mar 2012 15:00:50 +0100 Subject: [PATCH] patches from Simon Ruderich that broaden use of hardening build flags --- common/Makefile.in | 5 +- compat/Makefile.in | 11 ++- debian/changelog | 6 ++ debian/patches/actually-use-buildflags.diff | 92 +++++++++++++++++++++ debian/patches/series | 1 + plugins/sudoers/Makefile.in | 2 +- src/Makefile.in | 2 +- 7 files changed, 112 insertions(+), 7 deletions(-) create mode 100644 debian/patches/actually-use-buildflags.diff diff --git a/common/Makefile.in b/common/Makefile.in index a1319ef..9ee10c7 100644 --- a/common/Makefile.in +++ b/common/Makefile.in @@ -35,6 +35,9 @@ CPPFLAGS = -I$(incdir) -I$(top_builddir) -I$(top_srcdir) @CPPFLAGS@ # Usually -O and/or -g CFLAGS = @CFLAGS@ +# Linker flags +LDFLAGS = @LDFLAGS@ + # OS dependent defines DEFS = @OSDEFS@ @@ -56,7 +59,7 @@ Makefile: $(srcdir)/Makefile.in $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $< libcommon.la: $(LTOBJS) - $(LIBTOOL) --mode=link $(CC) -o $@ $(LTOBJS) -no-install + $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -o $@ $(LTOBJS) -no-install pre-install: diff --git a/compat/Makefile.in b/compat/Makefile.in index 09a02b2..33f2e65 100644 --- a/compat/Makefile.in +++ b/compat/Makefile.in @@ -35,6 +35,9 @@ CPPFLAGS = -I$(incdir) -I$(top_builddir) -I$(top_srcdir) @CPPFLAGS@ # Usually -O and/or -g CFLAGS = @CFLAGS@ +# Linker flags +LDFLAGS = @LDFLAGS@ + # OS dependent defines DEFS = @OSDEFS@ @@ -62,19 +65,19 @@ Makefile: $(srcdir)/Makefile.in $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $< libreplace.la: $(LTLIBOBJS) - $(LIBTOOL) --mode=link $(CC) -o $@ $(LTLIBOBJS) -no-install + $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -o $@ $(LTLIBOBJS) -no-install siglist.c: mksiglist ./mksiglist > $@ mksiglist: $(srcdir)/mksiglist.c $(srcdir)/mksiglist.h $(incdir)/missing.h $(top_builddir)/config.h - $(CC) $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/mksiglist.c -o $@ + $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) $(DEFS) $(srcdir)/mksiglist.c -o $@ fnm_test: fnm_test.o libreplace.la - $(LIBTOOL) --mode=link $(CC) -o $@ fnm_test.o libreplace.la + $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -o $@ fnm_test.o libreplace.la globtest: globtest.o libreplace.la - $(LIBTOOL) --mode=link $(CC) -o $@ globtest.o libreplace.la + $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -o $@ globtest.o libreplace.la @DEV@$(srcdir)/mksiglist.h: $(srcdir)/siglist.in @DEV@ awk 'BEGIN {print "/* public domain */\n"} /^ [A-Z]/ {printf("#ifdef SIG%s\n if (my_sys_siglist[SIG%s] == NULL)\n\tmy_sys_siglist[SIG%s] = \"%s\";\n#endif\n", $$1, $$1, $$1, substr($$0, 13))}' < $(srcdir)/siglist.in > $@ diff --git a/debian/changelog b/debian/changelog index 5c6a5b8..f30818c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +sudo (1.8.3p2-2) unstable; urgency=low + + * patch to actually use hardening build flags, closes: #655417 + + -- Bdale Garbee Mon, 19 Mar 2012 14:58:39 +0100 + sudo (1.8.3p2-1) unstable; urgency=high * new upstream version, closes: #657985 (CVE-2012-0809) diff --git a/debian/patches/actually-use-buildflags.diff b/debian/patches/actually-use-buildflags.diff new file mode 100644 index 0000000..42bf4b5 --- /dev/null +++ b/debian/patches/actually-use-buildflags.diff @@ -0,0 +1,92 @@ +Description: Use build flags from environment (dpkg-buildflags). + Necessary for hardening flags. +Author: Simon Ruderich +Last-Update: 2012-03-13 + +Index: sudo-1.8.3p2/src/Makefile.in +=================================================================== +--- sudo-1.8.3p2.orig/src/Makefile.in 2012-03-13 17:46:43.069036559 +0100 ++++ sudo-1.8.3p2/src/Makefile.in 2012-03-13 17:47:12.949037698 +0100 +@@ -101,7 +101,7 @@ + $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) $(LTLDFLAGS) -o $@ sudo_noexec.lo -avoid-version -rpath $(noexecdir) + + sesh: sesh.o +- $(CC) -o $@ sesh.o ++ $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o $@ sesh.o + + pre-install: + +Index: sudo-1.8.3p2/compat/Makefile.in +=================================================================== +--- sudo-1.8.3p2.orig/compat/Makefile.in 2012-03-13 17:46:43.069036559 +0100 ++++ sudo-1.8.3p2/compat/Makefile.in 2012-03-13 17:47:12.949037698 +0100 +@@ -35,6 +35,9 @@ + # Usually -O and/or -g + CFLAGS = @CFLAGS@ + ++# Linker flags ++LDFLAGS = @LDFLAGS@ ++ + # OS dependent defines + DEFS = @OSDEFS@ + +@@ -62,19 +65,19 @@ + $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $< + + libreplace.la: $(LTLIBOBJS) +- $(LIBTOOL) --mode=link $(CC) -o $@ $(LTLIBOBJS) -no-install ++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -o $@ $(LTLIBOBJS) -no-install + + siglist.c: mksiglist + ./mksiglist > $@ + + mksiglist: $(srcdir)/mksiglist.c $(srcdir)/mksiglist.h $(incdir)/missing.h $(top_builddir)/config.h +- $(CC) $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/mksiglist.c -o $@ ++ $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) $(DEFS) $(srcdir)/mksiglist.c -o $@ + + fnm_test: fnm_test.o libreplace.la +- $(LIBTOOL) --mode=link $(CC) -o $@ fnm_test.o libreplace.la ++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -o $@ fnm_test.o libreplace.la + + globtest: globtest.o libreplace.la +- $(LIBTOOL) --mode=link $(CC) -o $@ globtest.o libreplace.la ++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -o $@ globtest.o libreplace.la + + @DEV@$(srcdir)/mksiglist.h: $(srcdir)/siglist.in + @DEV@ awk 'BEGIN {print "/* public domain */\n"} /^ [A-Z]/ {printf("#ifdef SIG%s\n if (my_sys_siglist[SIG%s] == NULL)\n\tmy_sys_siglist[SIG%s] = \"%s\";\n#endif\n", $$1, $$1, $$1, substr($$0, 13))}' < $(srcdir)/siglist.in > $@ +Index: sudo-1.8.3p2/common/Makefile.in +=================================================================== +--- sudo-1.8.3p2.orig/common/Makefile.in 2012-03-13 17:46:43.013036558 +0100 ++++ sudo-1.8.3p2/common/Makefile.in 2012-03-13 17:47:12.949037698 +0100 +@@ -35,6 +35,9 @@ + # Usually -O and/or -g + CFLAGS = @CFLAGS@ + ++# Linker flags ++LDFLAGS = @LDFLAGS@ ++ + # OS dependent defines + DEFS = @OSDEFS@ + +@@ -56,7 +59,7 @@ + $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $< + + libcommon.la: $(LTOBJS) +- $(LIBTOOL) --mode=link $(CC) -o $@ $(LTOBJS) -no-install ++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -o $@ $(LTOBJS) -no-install + + pre-install: + +Index: sudo-1.8.3p2/plugins/sudoers/Makefile.in +=================================================================== +--- sudo-1.8.3p2.orig/plugins/sudoers/Makefile.in 2012-03-13 17:46:42.985036557 +0100 ++++ sudo-1.8.3p2/plugins/sudoers/Makefile.in 2012-03-13 17:47:12.949037698 +0100 +@@ -159,7 +159,7 @@ + (cd $(top_builddir) && ./config.status --file plugins/sudoers/Makefile) + + libparsesudoers.la: $(LIBPARSESUDOERS_OBJS) +- $(LIBTOOL) --mode=link $(CC) -o $@ $(LIBPARSESUDOERS_OBJS) -no-install ++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -o $@ $(LIBPARSESUDOERS_OBJS) -no-install + + sudoers.la: $(SUDOERS_OBJS) $(LT_LIBS) libparsesudoers.la + $(LIBTOOL) @LT_STATIC@ --mode=link $(CC) $(SUDOERS_LDFLAGS) $(LTLDFLAGS) -o $@ $(SUDOERS_OBJS) libparsesudoers.la $(SUDOERS_LIBS) -module -export-symbols $(srcdir)/sudoers.sym -avoid-version -rpath $(plugindir) diff --git a/debian/patches/series b/debian/patches/series index 5e1f561..dafb562 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ typo-in-classic-insults.diff paths-in-samples.diff +actually-use-buildflags.diff diff --git a/plugins/sudoers/Makefile.in b/plugins/sudoers/Makefile.in index 6c3c35c..71a316d 100644 --- a/plugins/sudoers/Makefile.in +++ b/plugins/sudoers/Makefile.in @@ -159,7 +159,7 @@ Makefile: $(srcdir)/Makefile.in (cd $(top_builddir) && ./config.status --file plugins/sudoers/Makefile) libparsesudoers.la: $(LIBPARSESUDOERS_OBJS) - $(LIBTOOL) --mode=link $(CC) -o $@ $(LIBPARSESUDOERS_OBJS) -no-install + $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -o $@ $(LIBPARSESUDOERS_OBJS) -no-install sudoers.la: $(SUDOERS_OBJS) $(LT_LIBS) libparsesudoers.la $(LIBTOOL) @LT_STATIC@ --mode=link $(CC) $(SUDOERS_LDFLAGS) $(LTLDFLAGS) -o $@ $(SUDOERS_OBJS) libparsesudoers.la $(SUDOERS_LIBS) -module -export-symbols $(srcdir)/sudoers.sym -avoid-version -rpath $(plugindir) diff --git a/src/Makefile.in b/src/Makefile.in index 49ed68e..d81a368 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -101,7 +101,7 @@ libsudo_noexec.la: sudo_noexec.lo $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) $(LTLDFLAGS) -o $@ sudo_noexec.lo -avoid-version -rpath $(noexecdir) sesh: sesh.o - $(CC) -o $@ sesh.o + $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o $@ sesh.o pre-install: -- 2.30.2